Thursday, November 2, 2023

Gramm-Leach-Bliley FTC Safeguard Rules Updated 6/2023 - Regulators asking lots of questions

Changes published in 2021 went into final effect in June 2023. Now, regulators are stepping up their review.

We've been seeing the impact of the updated CyberSecurity examinations prompted by the December 2021 FTC rule revisions. Regulators are dumping massive checklists into the exam load, and most companies don't have the bandwidth to address it. It's a hefty load, but it's worth going through to establish a baseline. 



Click here for the updated rule 

Click here for the CSBS Model Examination Form for non-banks 

The word you will see the most in an examination citation is "implementation." This means that, no matter how good your model policy is, if you're not doing - or have evidence that you can do - the things the rule requires, you'll likely be cited. 

Like every good compliance program, policies and procedures are simply part of a complete IT Security Plan. There are 4 pillars of every compliance program: 

  1. a compliance officer, 
  2. policies and procedures
  3. training, and 
  4. testing/auditing. 
Most of the policies we've seen are precisely that - policies. There is very little procedure. In other words, the model form says, "We will comply," but doesn't say, "This is how we comply." This is the most significant difference between our products and those written by lawyers or compliance experts. 

Location of IT Security Questionnaire Items in 2-9 IT/CyberSecurity Plan

 

States Strictly Enforcing GLB Compliance

  • DC
  • Maryland
  • Massachusetts
  • Virginia
  • Texas
  • New York

Remember to add those non-policy items

  • List of hardware (investor)
  • List of software and cloud services
  • List of vendors (investors, office tech, processors, etc. )
  • Cyber Insurance Policy

Tools for Self-Training



Tools for Self-Audit